CVE-2024-23641 HIGH

CVE-2024-23641: Sending a GET or HEAD request with a body crashes SvelteKit

Vendor Sveltejs

Product kit

Weakness CWE-20 · Input validation

Published January 24, 2024

Last update November 13, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.

Key dates

02Disclosure timeline

January 24, 2024 CVE published

November 13, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23641 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2024-23641

CWE CWE-20

CVSS 7.5 / HIGH

Affected versions

Vendor Sveltejs

Product kit

Affected >= 2.0.0, < 2.4.3

Vendor Sveltejs

Product kit

Affected >= 2.0.0, < 2.1.2

Vendor Sveltejs

Product kit

Affected >= 3.0.0, < 3.0.3

Vendor Sveltejs

Product kit

Affected = 4.0.0

CVE-2024-23641: Sending a GET or HEAD request with a body crashes SvelteKit

01Description

02Disclosure timeline

03References

04Related CVE